Despite the best defense and the best infrastructure, organizations do get hacked. However, the success of a security program should not be defined singularly by the ability to prevent security breaches but by the organization’s ability to rapidly bounce back, states Sumit Dhar, Senior Director & Head of Information Security, EdgeVerve (a subsidiary of Infosys), in an interview with EC
What are the typical security risks organizations face today?
There is no dearth of security risks in today’s digital economy. If you look at the attacks today, they are just getting bigger, more complex and amazingly sophisticated. Additionally, as it became evident with Stuxnet, nation-states are now involved. That said, in my opinion, the top security risks that organizations currently face are:
#1 Ransomware: There is a reason why ransomware is a such a dire threat. Once a victim is infected, it is usually game over for them. Additionally, with other breaches, malicious actors need to find middlemen to purchase the data (for example credit card details). However, with Ransomware they completely cut out the middlemen and pocket 100% of the proceeds. Therefore, Ransomware will remain a key threat for organizations in 2017.
#2 Data Breaches: Information security is asymmetric. Defenders need to ensure every server, every network component, every application is hardened. Attackers, on the other hand, need to find just one weakness in the organization’s defenses. As a result, we will continue to see data breaches.
#3 Mobile Malware: If one looks at the payouts offered by companies like Zerodium (a company acquiring premium zero-day vulnerabilities with functional exploits from security researchers and companies), the highest payouts are for mobile operating systems (iOS and Android). This clearly indicates the importance attackers are placing on mobile platforms. If whitehat hackers like Zerodium are focusing so much on mobile platforms, it would not be surprising to see a similar focus in the blackhat and underground community. Given the pervasiveness of mobiles, it is but obvious that we will see an exponential increase in attacks targeting mobile platforms.
Given the risk exposure, what should organizations do?
Three words: Defense in Depth. Unfortunately, there is no single silver bullet that can solve an organization’s security related problems. Therefore, CISOs globally are focusing on defense in depth and adding multiple layers of protection to defend their organization. Personally, I believe, here are some of the layers that are required in any organization’s security posture:
Layer 1: A strong culture of cybersecurity
This requires top management commitment to security and security related training/awareness for all employees.
Layer 2: A proper Information Security Management System.
Such a system would typically consist of relevant policies, procedures, guidelines etc. Many organizations may use ISO 27001 as a framework for developing their ISMS.
Layer 3: Robust Technical Controls
This includes perimeter security infrastructure (Firewalls, Intrusion Detection / Prevention Systems, Anti-Malware, Web Application Firewalls, Security Information Event Management etc.), OS / DB / Application hardening and usage of proper security protocols (e.g. SSH over Telnet, sftp over ftp).
Layer 4: Assurance
As a part of assurance, it is imperative that organizations conduct periodic vulnerability assessments, penetration tests, and security audits.
Layer 5: Governance
Governance would include security related metrics, benchmarking and reporting the security posture to the organization’s board.
So will following defense in depth ensure 100% security?
Before I answer, let me use this example: Is there any swimming pool that is 100% safe? The answer to that is clearly no. You can drown in the shallow end as well as in the deep end. However, the probability of drowning in the shallow end is much lower than the probability of drowning in the deep end.
Security is similar. No one can claim to be 100% secure. However, by following defense in depth and other good practices, organizations can significantly reduce the probability of a security breach.
In addition to focusing on preventing security breaches, what should organizations do?
Well, at some point CISOs realize that in spite of their best efforts security incidents can occur. In today’s world, the success of a security program should not be defined singularly by the ability to prevent security breaches but by the organization’s ability to rapidly bounce back. The focus then should be on being able to detect accurately and respond promptly.
A number of the leading organizations today are using advanced analytics to detect security threats. They are correlating events across a variety of network devices and servers to identify potential breaches. In addition, increasingly detection is based on user behavior rather than simple signatures.
Lastly, once a breach has been identified, time is of essence. Organization’s incident response should be fast, focused and prompt. Advance preparation and planning is critical when it comes to a successful incident response.
Thus, in my opinion, the need of the hour today is a well-integrated incident prevention, detection, and response program.
What are your thoughts on the skill shortage in Information Security?
It is true there is a dearth of technically competent and skilled Information Security professionals in the country. That said, I am also very impressed by the quality of the current crop of young security professionals. Especially those involved in web application security. The various bug bounty programs have resulted in great interest towards application security and I today see amazing work being done by youngsters who are still in college or have just a couple of years of work experience. Overall, this is good for the industry and dare I say the country too.
The need of the hour is for companies, academia, and senior Infosec leaders to come together to guide and mentor the younger generation. Without that, we will continue to see challenges with getting the right people for Information Security.
Any last thoughts for people interested in building their career in the domain?
I will be brief here: security is all about mindset. It is about thinking in a way a malicious attacker would. Network with other practitioners. Read continuously about security. Find a mentor. Lastly, for someone to be truly successful in this domain, (s)he has to be truly passionate about security.